A Risk Management Standard
A Risk Management Standard
A Risk Management Standard
The Organisation’s
Strategic Objectives
Risk Assessment
Risk Analysis
R isk Identification
R isk Description
R isk Estimation
Modification
Risk Evaluation
Formal
Audit
Risk Reporting
Threats and O pportunities
D ecision
Risk Treatment
Monitoring
R isk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:
4. Risk Analysis
4.1 Risk Identification • Financial - These concern the effective
R isk identification sets out to identify an management and control of the finances of
organisation’s exposure to uncertainty.This the organisation and the effects of external
requires an intimate knowledge of the factors such as availability of credit, foreign
organisation, the market in which it operates, exchange rates, interest rate movement and
the legal, social, political and cultural other market exposures.
environment in which it exists, as well as the • Knowledge management - These concern
development of a sound understanding of its the effective management and control of the
strategic and operational objectives,
knowledge resources, the production,
including factors critical to its success and the
protection and communication thereof.
threats and opportunities related to the
achievement of these objectives.
External factors might include the
unauthorised use or abuse of intellectual
R isk identification should be approached property, area power failures, and
in a methodical way to ensure that all competitive technology. Internal factors might
significant activities within the organisation be system malfunction or loss of key staff.
have been identified and all the risks
• Compliance - These concern such issues as
flowing from these activities defined.
All associated volatility related to these health & safety, environmental, trade
activities should be identified and descriptions, consumer protection, data
categorised. protection, employment practices and
regulatory issues.
Business activities and decisions can be
Whilst risk identification can be carried
classified in a range of ways, examples of
out by outside consultants, an in-house
which include:
approach with well communicated,
• Strategic - These concern the long-term consistent and co-ordinated processes and
strategic objectives of the organisation.They tools (see Appendix, page 14) is likely to be
can be affected by such areas as capital more effective. In-house ‘ownership’ of
the risk management process is essential.
availability, sovereign and political risks,
legal and regulatory changes, reputation
4.2 Risk Description
and changes in the physical environment.
The objective of risk description is to
• Operational - These concern the day-to- display the identified risks in a structured
day issues that the organisation is format, for example, by using a table.The
confronted with as it strives to deliver its risk description table overleaf can be used
strategic objectives. to facilitate the description and assessment
Medium Likely to occur in a ten Could occur more than once within the
(Possible) year time period or less time period (for example - ten years).
than 25% chance of Could be difficult to control due to
occurrence. some external influences.
Is there a history of occurrence?
4.4 Risk Analysis methods and treatment efforts.This ranks each identified
techniques risk so as to give a view of the relative
importance.
A range of techniques can be used to
analyse risks.These can be specific to This process allows the risk to be mapped
upside or downside risk or be capable of to the business area affected, describes the
dealing with both. (See Appendix, page 14, primary control procedures in place and
for examples). indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile decreased or reapportioned.
The result of the risk analysis process can Accountability helps to ensure that
be used to produce a risk profile which ‘ownership’ of the risk is recognised and
gives a significance rating to each risk and the appropriate management resource
provides a tool for prioritising risk allocated.
5. Risk Evaluation
When the risk analysis process has been economic and environmental factors,
completed, it is necessary to compare the concerns of stakeholders, etc. R isk
estimated risks against risk criteria which evaluation therefore, is used to make
the organisation has established.The risk decisions about the significance of risks to
criteria may include associated costs and the organisation and whether each specific
benefits, legal requirements, socio- risk should be accepted or treated.
On the following pages are extracts from the document PD ISO/ IEC Guide 73: 2002
reproduced with the permission of British Standards Institution under licence number
2002SK/ 0313. British Standards can be obtained from BSI Customer Services,
389 Chiswick High Road, London W 4 4AL. (Tel + 44 (0) 20 8996 9001)
This publication is available from the above organisations for dow nload from their respective w ebsites free of charge.
Please contact the individual associations if you w ish to purchase more copies of this Risk M anagement Standard in printed form